[ovirt-users] Ovirt Hosted-Engine VM iptables

Andrew Dent adent at ctcroydon.com.au
Tue May 30 05:56:24 UTC 2017 

I can add a rule into ipdates such as this
iptables -I INPUT -s 192.168.0.10 -p tcp -m tcp --dport 5666 -j ACCEPT
I can see the addition has succeeded with this
iptables-save > /etc/sysconfig/iptables

But a reboot of the Engine VM (not the Host) doesn't keep the new rule, 
and I was expecting that during bootup CentOS would read from 
/etc/sysconfig/iptables.
Alas it isn't.

Found a solution.
After reading this
https://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-centos-7
I installed iptables-services
But once installed I found that iptables -L showed no rules.
thankfully I still had the default hosted-engine rules in 
/etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
Then.....
service iptables save
restored the default hosted-engine rules including my rule for 5666.

Rebooting the hosted-engine VM and my rule 5666 for NRPE is still there.
Success!!

To answer your other questions

 > Did you ask to configure the firewall during engine-setup?
Yes.
Looks like it setup firewalld for me.

 > Alternatively, it's recommended to use firewalld.
For the moment I have disabled firewalld and are using iptables....Is 
there a reason why firewalld is preferred over iptables?

Kind regards

Andrew

------ Original Message ------
From: "Yedidyah Bar David" <didi at redhat.com>
To: "Andrew Dent" <adent at ctcroydon.com.au>
Cc: "users" <users at ovirt.org>
Sent: 29/05/2017 9:26:23 PM
Subject: Re: [ovirt-users] Ovirt Hosted-Engine VM iptables

>On Mon, May 29, 2017 at 1:14 PM, Andrew Dent <adent at ctcroydon.com.au> 
>wrote:
>>  Hi
>>
>>  I would like to add rules into the iptables of the Hosted Engine VM 
>>in
>>  Ovirt.
>>  I am wanting to monitor the Ovirt Engine using Nagios -> NRPE and I 
>>would
>>  like to open port 5666
>>
>>  the version is oVirt Engine Version: 4.1.1.8-1.el7.centos
>>  I have tried using the normal process for iptables (iptables-save 
>>etc), but
>>  it seems that the file
>>  /etc/sysconfig/iptables
>>  is ignored when the Ovirt Engine VM starts.
>
>What do you mean in "ignored"?
>
>What's the output of 'iptables-save'?
>
>Did you ask to configure the firewall during engine-setup?
>
>>
>>  How can I add permanent iptables rules into the Engine VM?
>
>On the engine vm (unlike hosts), the only thing that touches iptables
>is engine-setup. Before doing that it asks you if you want to configure
>the firewall. There aren't currently means to add your custom rules -
>either you manage it all by yourself or you let engine-setup do that.
>
>Alternatively, it's recommended to use firewalld. engine-setup can
>add to firewalld the stuff it wants, and you still can add your own
>stuff.
>
>If I got you wrong and you refer to the hosts (not engine), see also:
>
>https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/
>
>Best,
>
>>
>>  Kind regards
>>
>>
>>  Andrew
>>
>>
>>
>>  _______________________________________________
>>  Users mailing list
>>  Users at ovirt.org
>>  http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
>
>--
>Didi

More information about the Users mailing list